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Information Commissioner's Office 


Management Board minutes 


Monday 8 May 2017 

Members and other attendees present 

Paul Arnold Deputy Chief Executive Officer 

Ailsa Beaton Non-executive Director 

David Cooke Non-executive Director 

Simon Entwisle Deputy Commissioner (Operations) 
Elizabeth Denham Information Commissioner (chair) 

Rob Luke Deputy Commissioner (Policy) 

Jane McCall Non-executive Director 

Peter Bloomfield Senior Corporate Governance Manager 


(secretariat) 


1. Introductions and apologies 


1.1. There were apologies from Nicola Wood who was not 
able to attend. 


2. Declaration of interests 
2.1. There were no declarations of interest. 


3. Matters arising from the previous meeting 


3.1. There was a minor amendment to the minutes. All 
actions had been cleared. 


4. Commissioner’s forward look 
4.1. The Commissioner highlighted issues affecting the ICO. 


4.2. The Digital Economy Bill had received Royal Assent 
before Parliament was dissolved. The now Act provides the 
powers for a new ICO fee structure for its data protection and 
PECR work from April 2018. A consultation on the detail will 
follow the General Election. 


REDACTED 


4.3. The Commissioner reported that the civil monetary 
penalties issued to various charities recently had all been 
paid. A report to the Select Committee on ICO work in the 
area of charities and fund raising was being prepared for 
presentation after the General Election. The ICO believed that 
its intervention in this area had had an impact. 


4.4. The ICO had quickly engaged with the main UK political 
parties after the General Election had been called, to help 
ensure that political canvasing complied with the Data 
Protection Act and PECR. ICO guidance had been updated 
and Elizabeth Denham had written to the main parties 
reminding them of their responsibilities and inviting them to a 
meeting (held in London last Thursday) to explain the 
guidance and take questions. Parties based in Scotland, 
Wales and Northern Ireland were offered similar engagement. 


4.5. The Board was updated on the governance around how 
the ICO dealt with strategic files. The Senior Leadership 
Team was tracking and reviewing the work on these files 
regularly to ensure that the issues were dealt with quickly 
and effectively, and that there were adequate resources 
targeted on priority issues. The Board were supportive of the 
approach. 


4.6. Elizabeth Denham also advised that the Grants 
Programme is to be launched on 17 May with civil society 
groups. And International, Technology and Intelligence 
Strategies were being developed. 


4.7. The recent meetings in the US involving the 
Commissioner and Simon Entwisle, aimed at building 
collaboration and cooperation, were detailed, as was recent 
work with the Article 29 Working Party. How this work might 
develop was also discussed. 


9. Corporate Governance 
Board terms of reference 


5:1; Terms of reference for the Management Board, Audit 
Committee and Senior Leadership Team, were presented for 
agreement. Members had been circulated an earlier version 
of the documents which had been modified only slightly since 
then to reflect Senior Leadership Team discussion. 


5.2. It was agreed to review how well the Management 
Board terms of reference reflected its taking on of the role of 
the Remuneration Committee in the light of experience. 


5.3. It was confirmed that the Audit Committee terms of 
reference would come to the June meeting of the Committee. 


Information Rights Strategic Plan 


5.4. The Board was presented with the finalised Information 
Rights Strategic Plan. It had been shared with staff and the 
Department for Culture, Media and Sport, and would be 
launched externally soon. 


5.5. The intention was to report against the five goals on a 
quarterly basis - replacing the report against ICO Plan which 
was tabled at this meeting for the last time. 


5.6. The Board welcomed the direction the Information 
Rights Strategic Plan gave to the ICO and its work. 


Risk and opportunity management 


5.7. Paul Arnold provided an update on how the ICO was 
managing risk and opportunity. A statement of risk appetite 
had been developed, and the views of the Board were 
sought. 


5.8. Paul Arnold also highlighted the updated risk register, 
and a mock-up of a new format risk and opportunity register 
which was in the process of being developed and populated. 
The intention was for the new risk and opportunity register to 
be used as a working tool by steering groups and to feed up 
risks to the Senior Leadership Team and the Board. 


5.9. The Board supported the adoption of the risk appetite 
statement. 


5.10. There was discussion on the wording used to reflect the 
ICO's risk appetite in the area of legal issues. 


Paul Arnold to review the risk appetite statement as it 
related to appetite in the legal area by the end of May. 


5.11. Concern was expressed about the risk of losing staff as 
GDPR implementation came closer. There remained a risk 


that the ICO might lose staff in large numbers, but to-date 
the greater risk was felt to be that the ICO could lose people 
in particular roles who, because of their experience, were 
especially hard to replace. 


5.12. The Non-executive Directors asked if the report 
previously provided on technological risks was still being 
maintained. This had been provided previously when updated 
and had been very useful. 


Rob Luke to update Board members on how they are to 
be kept informed of horizon scanning in respect of 
technological changes and their impact on information 
rights. By the end of May. 


5.13. Paul Arnold advised that financial risk would be 
discussed at the J une audit committee, with the likelihood 
and impact of these risks expected to reduce given recent 
mitigating actions. 


Annual Report update 


5.14. Peter Bloomfield updated the Board on the drafting of 
the ICO Annual Report and Accounts 2016-17. 


5.15. A hard copy of the current draft was provided for the 
Board. An electronic version would be circulated next day; for 
comments from the Board members but also more widely to 
fill gaps and to check the content. 


5.16. Board members’ attention was drawn to the Governance 
Statement and Directors’ Report. In respect of the Board’s 
evaluation of its own performance, given the major changes 
in Board membership it was considered more appropriate to 
do this formally at a later stage. 


5.17. The question was raised whether individual Board 
member’s performance should be appraised formally. The 
Board supported such an approach as part of its broader 
collective working, and certainly there needed to be a formal 
assessment when deciding whether to extend membership 
beyond the initial three years. It was also thought that the 
Non-executive Directors should also feedback on the 
performance of the executive. 


The Commissioner to liaise with Mike Collins, Head of 
Organisational Development, in respect of the formal 
assessment of Board members and to report back to 
the next Board meeting. 


Peter Bloomfield to research guidance on the 
evaluation of Board performance and to discuss with 
the Commissioner by the end of May. 


6. Certification strategy 


6.1. Rob Luke updated the Board on the decision taken by 
the Commissioner in relation to the |CO’s approach to 
certification under the General Data Protection regulation. 
This involved moving forward on a longer time-frame than 
originally anticipated given both higher GDPR priorities and 
the need for ICO work to be informed by the ongoing 
development of guidance and practice at a European level. 
The approach would focus on delivering certification through 
a privacy management accountability framework. 


6.2. The approach taken was supported by the Board. 


7. Performance against the ICO Plan 


Performance report 


7.1. The report on the end of year performance against the 
ICO Plan was presented for the last time in its current form. 
Performance against the new Information Rights Strategic 
Plan would be reported on in future. This would include the 
softer elements of performance reporting, for example on the 
quality, and not just quantity, of work done. It was noted 
that the goals in the new Information Rights Strategic Plan 
were less quantitative and more qualitative. 


7.2. In respect of quality measurement, Paul Arnold advised 
that the ICO does make use of annual stakeholder research. 
However, this approach was expensive and did not provide 
information in real time. Hence other ways of understanding 
customer satisfaction were also being used, for example by 
asking people to leave feedback all year round as they used a 
given service. 


7.3. There followed a more general discussion about 
reporting to the Board. One suggested approach was to 
provide ongoing access to background performance 
information, with this leaving the Board papers free to focus 
on analysis of risks and opportunities. 


The Commissioner, Paul Arnold and Peter Bloomfield to 


consider how to revise the approach to Board papers in 
time for the next meeting. 


Information rights report 


7.4. The Information Rights Report was considered. Issues 
discussed included the consultation on derogations and the 
Privacy Shield issue. 


8. Directorate steering group reports 


Operations 
8.1. The operations report was presented for information. 


Policy 


8.2. Rob Luke advised that the ICO was developing a 
Parliamentary and Government Engagement Strategy to 
guide our engagement following the General Election. It was 
also developing a Technology Strategy but on a longer 
timescale. 


DCEO 


8.3. The focus of discussion on this report was the plans for 
increasing ICO staffing levels for GDPR implementation. 


8.4. The ICO was forecasting a 30% increase in work across 
most areas as a result of GDPR. It was difficult to estimate 
the actual impact and its timing but much work had been 
done on detailed plans with the aim of enabling the ICO to 
maximise capacity and capability in the crucial build up to 
GDPR implementation. 


8.5. It was agreed that the ICO had to ensure it was re- 
focusing existing resources on its new priorities as efficiently 
as possible, and was making as much use of technology to 
help it work efficiently. It was confirmed that the ICO was 
looking at using existing resources and identifying gaps. 


8.6. In respect of the use of IT Paul Arnold advised that a 
five year IT plan had been signed off in 2015 and confirmed 
that it should come back to the Board now. It included 
ensuring that where possible stakeholders could make use of 
self service options. 


Paul Arnold to bring the IT plan to the Board in August. 


9. Senior Leadership Team meetings 


9.1. Minutes of Senior Leadership Team meetings since the 
last Board were presented for information. 


9.2. It was considered that the Senior Leadership Team was 
settling down and that links with Department Heads would be 
retained. 


10. Audit Committee 


10.1. Ailsa Beaton reported on the most recent Audit 
Committee. The Committee had discussed the ICO going 
concern issue given the need for legislation related to GDPR 
and noted that the Audit Plan was in train for completion. 


11. Any other business 
11.1. There was no other business. 


